In this article, we’ll take a look at some of the most common malware persistence mechanisms as malware likes to persist whenever they take control of any compromised system.
Windows has a lot of AutoStart Extension Points (ASEP) which makes it easier for the malware to persist so that it can continue doing its work in the background.
We have talked about malware persisting in systems but what actually is persistence and why does malware persist? Let’s have a look and find out.
What is Persistence?
Persistence refers to the malware’s ability to remain active and running on a compromised system, even after the system reboots.
This is the key feature of malware that allows it to continue to cause harm or exploit the system even after the initial infection.
The goal of persistence is to evade detection and removal by security software or the user and to continue to cause harm to the system and its user.
This can include stealing personal information, encrypting files and demanding ransom, or using the infected computer to launch further attacks on other systems.
As malware achieves persistence in Windows mainly through the use of registry keys or asep registry it is better to have a good understanding of the Windows registry before we actually move to the malware persistence techniques.
What is Windows Registry and What is a Registry Key?
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems.
Windows creates this database of configuration settings during installation
It contains information and settings for low-level operating system components as well as for applications and users on the computer.
Registry keys are the individual entries within the Registry, which can contain values and subkeys.
These registry keys and values are used to configure various aspects of the operating system and installed programs.
Note: It’s important to use caution when modifying the Registry as making an incorrect change can cause the system to become unstable or inoperable.
- Root Key – The windows registry is divided into five top-level sections called the root keys. Each of these root keys serves a particular purpose.
- Subkey – A subkey is like a subfolder within a folder.
- Key – A key is a folder in the registry that can contain additional folders or values.
- Value entry – A value entry is an ordered pair with a name and value.
- Value or data – Data stored in a registry key.
Windows Registry Keys List
So, the root keys which I mentioned above are actually split into the following five registry keys:
- HKEY_LOCAL_MACHINE (HKLM) – Stores settings that are global to the local machine, including hardware settings, device drivers, and installed software.
- HKEY_CURRENT_USER (HKCU) – Stores settings that apply to the currently logged-in user, including desktop settings, program settings, and user preferences.
- HKEY_CLASSES_ROOT (HKCR) – Contains file extensions and associated information, COM objects, and registered applications.
- HKEY_CURRENT_CONFIG – Stores settings about the current hardware configuration, especially differences between the present and the standard configuration
- HKEY_USERS – contains settings for all users on the computer, including user-specific settings and profiles.
Out of these five keys, the two most commonly used keys are HKLM and HKCU.
HKLM is the root key, which stores the subkeys of SOFTWARE, Microsoft, Windows, CurrentVersion, and Run.
As you now have already got an idea that malware persists mainly with the help of registry keys and writing entries to the Run subkey is a well-known way to set up the software to run automatically, the next time the computer boots. While it’s not a very stealthy technique, it is often used by malware to launch itself automatically.
Common Malware Persistence Mechanisms
One of the critical ways that malware can persist on a Windows system is through various persistence mechanisms.
These mechanisms are used to ensure that the malware continues to run on a system, even after it has been rebooted or after the security software has been run.
There are various methods that malware can use to achieve persistence, such as modifying the registry, creating scheduled tasks, installing itself as a service, or using rootkits to hide its presence.
By using these methods, malware can ensure that it runs automatically when the system starts, runs periodically or runs constantly in the background.
In this article, we will explore some of the most common malware persistence techniques.
Registry Run Keys
Registry keys are the most popular and common malware persistence mechanism used by threat actors.
The Windows registry is a database that stores configuration settings for the operating system and installed software.
Malware can create or modify registry keys to run automatically when the system starts.
This allows the malware to persist even after the system has been rebooted.
Malware achieves persistence by modifying the registry keys in one of AutoStart Extention Points (ASEPs). Below are some of the registry keys that malware mostly achieves its persistence by editing the registry keys at the User Level:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
If the malware is able to gain admin privileges, it will infect some of the keys at admin/system-level privileges:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Startup Folders
For example, malware can create a new key in the registry that runs a specific file when the system starts.
Another common persistence mechanism is the use of startup folders. These folders are used to automatically launch programs when the user logs in.
Malware can place a copy of itself in the startup folder, causing it to run automatically when the user logs in.
This can make it difficult for the user to remove the malware, as it will continue to run even after the user has attempted to delete it.
Startup keys are located at both Local Machine and Current User:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Scheduled Tasks
Scheduled tasks are a feature in Windows that allows users to automate the execution of programs or scripts at specified intervals.
Malware can use this feature to establish persistence on a system by creating a new scheduled task that runs the malware’s payload.
The registry keys that are used to store scheduled tasks are located in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree key.
Each scheduled task has its own subkey under this key, and the subkey contains information about the task, including the name, author, and triggers for the task.
For example, malware may create a new scheduled task that runs a malicious executable, the malware will create a new key under the Tree key, with the name of the task, and the key will have values that contain the path to the malicious executable, the schedule for the task, and any other necessary information.
However, It is important to note that not all tasks in the TaskCache\Tree are malicious, some are created by the system or by the user.
It is thus necessary to review the task and the values under it to determine if the task is malicious or not. If you suspect that your computer may be infected with malware, it’s best to seek help from a professional.
Windows Services Registry
Services are another persistence mechanism that malware can use. Services are programs that run in the background and can be used to perform a variety of tasks.
Malware can install itself as a service, allowing it to run automatically in the background without user interaction. This can make it difficult for the user to detect the malware and remove it.
Apart from the above registry keys that malware exploits, malware sometimes also exploits other keys that are used to start background services like remote registry service.
The malware registers itself as a service and persists in the registry keys. These registry keys are located at:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services\Once
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services
BootExecute Key
From the name itself, it has to do something with the system boot. Right?
So, when the system boots up it loads several processes in order for the smooth execution of the boot process.
One such process is the Session Manager Subsystem (smss.exe), a component of the Microsoft Windows family of Operating systems, which is responsible for starting the user session.
This is the first user-mode process selected by the kernel and since, smss.exe launches before the windows subsystem loads, it calls the configuration subsystem to load the hive present at:
- HKLM\SYSTEM\CurrentControlSet\Control\hivelist
Also, smss.exe will launch anything present in the BootExecute key at
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager
It should always have the value of autocheck autochk*. If there are more values in it, then probably the malware is likely to launch at boot.
Browser Helper Objects (BHO)
Browser Helper Objects (BHOs), ehh.. what the heck?
They are a type of software component that can be added to web browsers to provide additional functionality.
They are typically used to add toolbars, search providers, and other features to the browser. However, malware can also use BHOs to establish persistence on a system.
A BHO is a dynamic-link library (DLL) file that is loaded by the browser when it starts up.
The browser reads information about the BHO from the Windows Registry, specifically the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.
When the browser starts, it loads the DLL file and runs the code contained within it. In this way, malware can use a BHO to run its payload each time the browser starts, allowing it to establish persistence on the system.
It is however important to note that not all BHOs are malicious as some are created by legitimate software developers to provide additional functionality to the browser.
AppInit DLLs
AppInit DLLs are a type of software component that can be used to establish persistence on a system.
They are DLLs that are loaded by the Windows operating system when a user logs in before any other applications are started.
When the operating system starts, it reads a list of DLLs to load from the Windows Registry, specifically the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs key.
If a DLL is listed here, it is loaded into memory and its code is executed.
Malware can use this feature to establish persistence by adding a malicious DLL to the AppInit_DLLs key. This allows the malware to run its payload each time the user logs in, and to remain active until the user logs out or the system is shut down.
DLL Search Order Hijacking
DLL Search Order Hijacking is a technique used by malware to establish persistence on a Windows system.
It involves the malware placing a malicious DLL with the same name as a legitimate DLL in a location that is searched by the operating system before the legitimate location of the DLL.
When a program attempts to load a DLL, the operating system will load the malicious DLL instead of the legitimate one, allowing the malware to run its payload and establish persistence on the system.
Additionally, it can also be used to compromise the security of legitimate programs by replacing a legitimate DLL with a malicious one.
Rootkits
Rootkits are a type of malware that can be used to hide the presence of other malware on a system.
Rootkits can be used to hide files, processes, and other system components, making it difficult for security software to detect malware. This can make it difficult for the user to remove the malware.
Bootkits
Bootkits are a type of malware that can infect the master boot record (MBR) or other bootloader components.
This allows the malware to execute itself before the operating system starts. This can make it difficult for the user to remove the malware, as it will run automatically every time the system is booted.
Fileless Malware
Lastly, Fileless malware is a type of malware that resides in memory only and does not create any physical file on the disk, making it hard to detect. They can be executed through script or macros and can evade traditional antivirus software.
Malware often uses the registry for persistence or configuration data. And as soon as the malware gets inside the victim’s machine it tries to modify several registry keys to achieve persistence.
The malware adds entries into the registry that will allow it to run automatically when the computer boots up or a user logs in.
Conclusion
Malware persistence is a critical aspect of any successful malware attack, as it allows the malware to maintain a foothold on the infected system and continue to carry out its malicious activities.
We have also discussed various techniques that malware can use to establish persistence on a system, such as modifying the Windows Registry, adding new scheduled tasks, or using bootkits.
Additionally, techniques like DLL Search Order Hijacking and App Init DLLs can be used to establish persistence by compromising legitimate software and replacing it with malicious versions.
